Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to send Internet traffic to VPN tunnel endpoint & not outside interface

Two endpoints, a PIX 501 and a PIX 515, connected with IPSEC tunnel. PIX 501 uses dhcp to get its IP add and route info. Therefore, all internet traffic goes out the outside interface. I want to send internet traffic to tunnel endpoint where 505 is so that our application layer firewall can apply policies. How do I accomplish this?

9 REPLIES
Green

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Specify your interesting traffic and nat exemption acl's as being to any in the 501, then all traffic will pass over the tunnel.

Also, you said 505, did you mean 515?

Please rate helpful posts.

New Member

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Yes, I meant 515. Here is my acl:

access-list NONAT permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 192.168.7.0 255.255.255.0 10.1.0.0 255.255.0.0

So, if I understand you correctly, I need to add the following to my acls at the 501 end and do the same at the 515 end for the corresponding EDM acl for the tunnel:

access-list NONAT permit ip any any

access-list EDM permit ip any any

Is this correct?

Thank you for your response.

Green

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Not exactly, if you add those lines to the 515, then all traffic from 515 will go over the tunnel as well, which you don't want right?

I would make it like this...

501

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

515

access-list NONAT permit ip any 192.168.7.0 255.255.255.0

access-list EDM permit ip any 192.168.7.0 255.255.255.0

This way, all traffic from the 501 will cross the tunnel, but only traffic for 192.168.7. will cross the tunnel from the 515.

Green

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Did that help?

New Member

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Sorry, for the delay, fires to put out... I hope to return to this issue later today. I will test and definitely let you know.

Regards,

New Member

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Tried today. The tunnel came up, but Internet did not work. Here are the commands/changes that I made, with public IP info x/y'd out.

501 config

no access-list NONAT

access-list NONAT permit ip 192.168.7.0 255.255.255.0 any

nat (inside) 0 access-list NONAT

no crypto map newmap 10

no access-list EDM

access-list EDM permit ip 192.168.7.0 255.255.255.0 any

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address EDM

crypto map newmap 10 set peer x.x.x.x

crypto map newmap 10 set transform-set ESP-3DES-SHA

crypto map newmap interface outside

505 config

no crypto map outside_map 10

no access-list FTMAC

access-list FTMAC permit ip any 192.168.7.0 255.255.255.0

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address FTMAC

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set ESP-3DES-SHA

The NAT info at the 505 end is set up for numerous sites, not just the FTMAC site. I did not change those rules.

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

New Member

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Hello,

This is going to depend on if the 515 is the firewall in which you route all your internet traffic.

Its not going to be be possible with a version 6 pix software. Version 7 lets you re-route traffic back out the interface you came in on.

Unless u can force users to a a proxy on an internal network on the 515, its not going work.

Green

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

murray, sorry about that, I thought you had that part worked out. As the previous poster said, you will need you 515 to be version 7 for this to work unless you have some proxy on the inside. Here is the document for public internet on a stick.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

New Member

Re: How to send Internet traffic to VPN tunnel endpoint & not ou

Thank you, Acomiskey for the link. Yes, unfortunately we are at v6.3. We have delayed upgrading because we use pptp vpn tunneling and are in the process of evaluating the ASA5500 series. Thanks, for your help.

268
Views
13
Helpful
9
Replies
CreatePlease login to create content